Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/64152?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/64152?format=api", "purl": "pkg:gem/rack@3.1.20", "type": "gem", "namespace": "", "name": "rack", "version": "3.1.20", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "3.1.21", "latest_non_vulnerable_version": "3.2.6", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21702?format=api", "vulnerability_id": "VCID-9rpp-9xss-duf6", "summary": "Rack has a Directory Traversal via Rack:Directory\n## Summary\n\n`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.\n\n## Details\n\nIn `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also. \n\n## Impact\n\nInformation disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`).\n\n## Mitigation\n\n* Update to a patched version of Rack that correctly checks the root prefix.\n* Don't name directories with the same prefix as one which is exposed via `Rack::Directory`.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22860", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27712", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27769", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27811", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27903", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27805", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27762", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27695", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27862", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22860" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/" } ], "url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22860", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22860" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479", "reference_id": "1128479", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440737", "reference_id": "2440737", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440737" }, { "reference_url": "https://github.com/advisories/GHSA-mxw3-3hh2-x2mh", "reference_id": "GHSA-mxw3-3hh2-x2mh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mxw3-3hh2-x2mh" }, { "reference_url": "https://usn.ubuntu.com/8066-1/", "reference_id": "USN-8066-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8066-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64149?format=api", "purl": "pkg:gem/rack@2.2.22", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/64152?format=api", "purl": "pkg:gem/rack@3.1.20", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/64153?format=api", "purl": "pkg:gem/rack@3.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5" } ], "aliases": [ "CVE-2026-22860", "GHSA-mxw3-3hh2-x2mh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9rpp-9xss-duf6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21804?format=api", "vulnerability_id": "VCID-skxv-7he3-xqgc", "summary": "Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href\n## Summary\n\n`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.\n\nThis results in a client-side XSS condition in directory listings generated by `Rack::Directory`.\n\n## Details\n\n`Rack::Directory` renders directory entries using an HTML row template similar to:\n\n```html\n<a href='%s'>%s</a>\n```\n\nThe `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL:\n\n```html\n<a href='javascript:alert(1)'>javascript:alert(1)</a>\n```\n\nBecause the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.\n\n## Impact\n\nIf `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`.\n\nWhen a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).\n\n## Mitigation\n\n* Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`).\n* Avoid exposing user-controlled directories via `Rack::Directory`.\n* Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.\n* Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.\n\nHackerOne profile:\nhttps://hackerone.com/thesmartshadow\n\nGitHub account owner:\nAli Firas (@thesmartshadow)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25500", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05787", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05793", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05801", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05822", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05797", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05758", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05724", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05764", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25500" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/" } ], "url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25500", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25500" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480", "reference_id": "1128480", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440738", "reference_id": "2440738", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440738" }, { "reference_url": "https://github.com/advisories/GHSA-whrj-4476-wvmp", "reference_id": "GHSA-whrj-4476-wvmp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-whrj-4476-wvmp" }, { "reference_url": "https://usn.ubuntu.com/8066-1/", "reference_id": "USN-8066-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8066-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64149?format=api", "purl": "pkg:gem/rack@2.2.22", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/64152?format=api", "purl": "pkg:gem/rack@3.1.20", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/64153?format=api", "purl": "pkg:gem/rack@3.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5" } ], "aliases": [ "CVE-2026-25500", "GHSA-whrj-4476-wvmp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-skxv-7he3-xqgc" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20" }